Another important distinction is that the former will prevent SQL injection attacks, while the latter can make such attacks possible.
http://en.wikipedia.org/wiki/SQL_injection On Sun, Nov 14, 2010 at 2:06 PM, Andrus Adamchik <[email protected]> wrote: > > On Nov 13, 2010, at 12:40 AM, Marek Šabo wrote: > > >> SELECT #result('COUNT(id)' 'Long' 'count') >> from User #chain('AND' 'WHERE') #chunk($userId) id = #bind($userId) #end >> #chunk($userName) userInfo.name LIKE $userName #end #end > >> becuase of "userInfo.name" which is object-style. So my first question is >> whether there is a way of accomplishing this with EJBQL so I don't have to >> work with joins there. > > > Yeah, something like this should work: > > SELECT COUNT(a) FROM User a WHERE a.id = :userId AND a.userInfo.name like > :userName > >> Second, what is the difference between #bind($a) and just $a. Both works and >> I suppose it's close to similar. > > The former results in a JDBC parameter inclusion and a call to > PreparedStatement.setXYZ(a), the later is embedded in the SQL as a String. So > the former let's JDBC driver to do the right type conversions and is a > recommended way to insert *parameter* objects in the query. The later form > can be used to dynamically build parts of SQL query that are not parameters. > It will work for some parameters as well (e.g. Strings), but won't work for > others (e.g. Date). > > Andrus
